Secure The Core: Advice For Agencies Under Attack

International espionage, Russian hacker mafias, Chinese generals moonlighting as cyber criminals, and a global plague of sophisticated, malicious intruders... sounds like a Clancy novel, doesn't it?

In fact, high-profile breaches by such nefarious actors are all too real. In just the last few months, the US Office of Personnel Management, the Government Printing Office, and the Government Accountability Office were breached by Chinese hackers, and records of background checks performed by US Investigations Services, a government contractor, were compromised in what looks like a state-sponsored attack.

State of urgency
The scope of the threats is massive and mutating; the US Director of National Intelligence has ranked cybercrime as a top national security threat. Given limited budgets and resources, prioritizing efforts and focusing on essential measures is paramount. In light of the multiple types and sources of attacks, cyber security teams are in a constant state of urgency. All of this can lead to a lack of focus. Panic-driven reactions, unclear compliance mandates, and lack of funding and expertise get in the way of effective cyber security implementation. High-visibility breaches prompt those responsible to make a big show of "fixing" the security lapses by investing in the "latest and greatest" technologies in an effort to provide reassurance to partners and clients.

This is rarely an effective response and isn't a prudent use of resources. Instead, there should be a return to basics, a common-sense approach that will effectively mitigate risks at a lower cost.

First, secure the core
Government agencies need to focus on the core of their infrastructure where the critical data actually reside. The top priority should be implementing stringent controls around access, user management, systems configuration, and data encryption. I believe that analysts often give insufficient guidance based on their bias for new and more "interesting" technology. It should be emphasized that inline network technologies are distinct from fundamental security controls, which should always come first.

[Homeland Security wants some new tools. See Wanted By DHS: Breakout Ideas On Domestic Cybersecurity.]

The core infrastructure should be prioritized over the network boundary; if the core is weak, critical assets are at risk, no matter how much money and time has been invested in fortifying the perimeter. In fact, Verizon's most recent Data Breach Investigative Report indicated that 90% of the cyber attacks surveyed could have been prevented if simple security controls had been implemented. PricewaterhouseCoopers' 2014 US State of Cybercrime survey similarly found that fewer than half the organizations surveyed took necessary precautions.

Focus on data security
The PwC survey noted that among government services, unauthorized access to information, systems, or networks was reported by 24% of respondents. This alarming statistic, in conjunction with the recent breaches of sensitive info, highlights an urgent need for stronger data protections. Initiatives aimed at securing the core should also focus on system configuration, user management, and continuous monitoring of all of these factors. In the universe of cyber criminals, personal data is as prized and hoarded as money. Critical data (intellectual property, personnel and financial records, sensitive communications, etc.) being collected and stored must be properly handled and encrypted. It is important to note that data residing on outside contractors' systems are particularly vulnerable and should be included in security mandates.

Systems configuration is at the heart of security
Likewise, it is imperative to ensure that any system that touches critical data is properly configured and aligned -- on an ongoing basis -- with the appropriate set of security controls. The continuous monitoring requirements are straightforward. Security controls include monitoring event data (log and activity data) and state data (configuration and vulnerability state). These essential controls examine system settings to ensure they are aligned with best practices as defined by DISA, NIST, SANS, etc. Monitoring systems (including network devices, data storage, and applications) continuously on a near real-time basis enables organizations to detect weak links in their core infrastructure where critical data resides. Implementations should include mechanisms to measure controls against standards, find the deviations, and take remedial action to correct them.

Finally, after taking steps to secure and continuously monitor the data and systems at the core of your computing infrastructure, it is then appropriate to address the network layer, implementing antivirus and antimalware, intrusion prevention, firewall, and other technologies that help protect the network and keep the bad guys out.

Propagate a security culture
The human component of security should never be overlooked; user access privileges must be consistently and continuously managed, supported by clear policy and enforcement. Building cyber security into the organizational culture and mission is crucial. Everyone who touches critical data or connects to your network -- from executives to entry-level personnel, contractors to supply chain vendors -- must be under a mandate to practice and monitor proper user behavior. Thoroughly educating all users about the potential consequences (to the individual and the organization) of careless online behavior is an affordable and effective front-line defense strategy.

The recent and ongoing pile-up of government agency breaches shines a floodlight on the frightening vulnerability of online storage and networks. As governments increasingly conduct their operations in the cyber realm, building strong defenses at the heart of critical data and communications systems has become an urgent matter of national security. Hunker down and focus on the basics, continuously monitor and remediate, and train all the good guys to be cybersecurity guards.

Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge. Get the new Flexibility Equals Strength issue of InformationWeek Government Tech Digest today. (Free registration required.)